Want more timely Centmin Mod News Updates?
Become a Member

Nginx [nginx-announce] nginx security advisory (CVE-2017-7529)

Discussion in 'Nginx and PHP-FPM news & discussions' started by eva2000, Jul 12, 2017.

  1. eva2000

    eva2000 Administrator Staff Member

    30,992
    6,919
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,423
    Local Time:
    4:23 PM
    Nginx 1.13.x
    MariaDB 5.5
    Hello!

    A security issue was identified in nginx range filter. A specially
    crafted request might result in an integer overflow and incorrect
    processing of ranges, potentially resulting in sensitive information
    leak (CVE-2017-7529).

    When using nginx with standard modules this allows an attacker to
    obtain a cache file header if a response was returned from cache.
    In some configurations a cache file header may contain IP address
    of the backend server or other sensitive information.

    Besides, with 3rd party modules it is potentially possible that
    the issue may lead to a denial of service or a disclosure of
    a worker process memory. No such modules are currently known though.

    The issue affects nginx 0.5.6 - 1.13.2.
    The issue is fixed in nginx 1.13.3, 1.12.1.

    For older versions, the following configuration can be used
    as a temporary workaround:

    max_ranges 1;

    Patch for the issue can be found here:

    http://nginx.org/download/patch.2017.ranges.txt


    --
    Maxim Dounin
    http://nginx.org/
    _______________________________________________
    nginx-announce mailing list
    nginx-announce@nginx.org
    http://mailman.nginx.org/mailman/listinfo/nginx-announce

    Continue reading...
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,992
    6,919
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,423
    Local Time:
    4:23 PM
    Nginx 1.13.x
    MariaDB 5.5